Do PHP sessions set any cookies?

Question

I only manually set one cookie on my social network site, but I rely heavily on php sessions. I am wondering if sessions set any cookies behind the scenes?

I was just reading up on HttpOnly-cookies and I am just trying to figure out if I can use them.

Answer 1

It does, there's a cookie named PHPSSID that stores the session ID.

For HttpOnly cookies, see http://ilia.ws/archives/121-httpOnly-cookie-flag-support-in-PHP-5.2.html

Answer 2

PHP sessions can use cookies depending on how you configure them. Have a look at these settings:

• session.use_cookies (boolean): specifies whether the module will use cookies to store the session id on the client side. Defaults to 1 (enabled).
• session.use_only_cookies (boolean): specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0. Defaults to 1 (enabled) since PHP 5.3.0.

If you disable session cookies, a GET parameter is used instead.

Answer 3

Yes. PHP sessions rely on a cookie containing a session key. Your session data are stored only on your server, but a unique ID is assigned to each session and that ID gets saved in a cookie.

What relationship do you see between a session cookie and a traditional cookie set as HttpOnly?

Also: keep in mind that HttpOnly is not supported across all browsers.

Answer 4

PHP sessions use HTTP to get and set the session ID, and the filesystem to store the sessions - no cookies are used at any point unless you actually create them using setcookie();

Jamie